Document old_auid, new_auid, old_ses, new_ses

elastic · Mar 31, 2017 · 7cd7d52 · 7cd7d52
1 parent ececd94
commit 7cd7d52
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 0 deletions.
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -878,6 +878,30 @@ Fields from the Linux audit logs. Not all fields are documented here because the
 The audit event type.
 
 
+[float]
+=== system.audit.old_auid
+
+For login events this is the old audit ID used for the user prior to this login.
+
+
+[float]
+=== system.audit.new_auid
+
+For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root).
+
+
+[float]
+=== system.audit.old_ses
+
+For login events this is the old session ID used for the user prior to this login.
+
+
+[float]
+=== system.audit.new_ses
+
+For login events this is the new session ID. It can be used to tie a user to future events by session ID.
+
+
 [float]
 === system.audit.sequence
 

diff --git a/filebeat/module/system/audit/_meta/fields.yml b/filebeat/module/system/audit/_meta/fields.yml
@@ -7,6 +7,23 @@
     - name: record_type
       description: >
         The audit event type.
+    - name: old_auid
+      description: >
+        For login events this is the old audit ID used for the user prior to
+        this login.
+    - name: new_auid
+      description: >
+        For login events this is the new audit ID. The audit ID can be used to
+        trace future events to the user even if their identity changes (like
+        becoming root).
+    - name: old_ses
+      description: >
+        For login events this is the old session ID used for the user prior to
+        this login.
+    - name: new_ses
+      description: >
+        For login events this is the new session ID. It can be used to tie a
+        user to future events by session ID.
     - name: sequence
       type: long
       description: >